Skip to content

Instantly share code, notes, and snippets.

@nicosingh
Last active May 10, 2023 19:35
Show Gist options
  • Save nicosingh/225693d20ccdb68bfa9f5e93922ffe99 to your computer and use it in GitHub Desktop.
Save nicosingh/225693d20ccdb68bfa9f5e93922ffe99 to your computer and use it in GitHub Desktop.
# create some variables
variable "name_prefix" {
type = string
description = "Prefix to be used on each infrastructure object Name created in AWS."
}
variable "admin_users" {
type = list(string)
description = "List of Kubernetes admins."
}
variable "developer_users" {
type = list(string)
description = "List of Kubernetes developers."
}
# create Admins & Developers user maps
locals {
admin_user_map_users = [
for admin_user in var.admin_users :
{
userarn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"
username = admin_user
groups = ["system:masters"]
}
]
developer_user_map_users = [
for developer_user in var.developer_users :
{
userarn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${developer_user}"
username = developer_user
groups = ["${var.name_prefix}-developers"]
}
]
}
# add 'mapUsers' section to 'aws-auth' configmap with Admins & Developers
resource "time_sleep" "wait" {
create_duration = "180s"
triggers = {
cluster_endpoint = var.cluster_endpoint
}
}
resource "kubernetes_config_map_v1_data" "aws_auth_users" {
metadata {
name = "aws-auth"
namespace = "kube-system"
}
data = {
mapUsers = yamlencode(concat(local.admin_user_map_users, local.developer_user_map_users))
}
force = true
depends_on = [time_sleep.wait]
}
# create developers Role using RBAC
resource "kubernetes_cluster_role" "iam_roles_developers" {
metadata {
name = "${var.name_prefix}-developers"
}
rule {
api_groups = ["*"]
resources = ["pods", "pods/log", "deployments", "ingresses", "services"]
verbs = ["get", "list"]
}
rule {
api_groups = ["*"]
resources = ["pods/exec"]
verbs = ["create"]
}
rule {
api_groups = ["*"]
resources = ["pods/portforward"]
verbs = ["*"]
}
}
# bind developer Users with their Role
resource "kubernetes_cluster_role_binding" "iam_roles_developers" {
metadata {
name = "${var.name_prefix}-developers"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "${var.name_prefix}-developers"
}
dynamic "subject" {
for_each = toset(var.developer_users)
content {
name = subject.key
kind = "User"
api_group = "rbac.authorization.k8s.io"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment